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1,000  Oracle/Sun 
clients  recently 
upgraded. 


Since  2009,  over  1,000  clients  have  moved  business  to  IBM  Power  Systems'" 
from  Oracle/Sun.  Some  were  swayed  by  the  up  to  60%  drop  in  IT  costs.  Others 
by  the  3x  per  core  performance  (per  both  TPC-C  and  SAP  SD  benchmarks). 
And  some  by  both.  Though  all  saw  the  strong  business  case  for  moving.  We'd 
welcome  the  opportunity  to  show  how  IBM  could  help  your  organization,  too. 
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What  Cyberwar  Might  Really  Look  Like 

IMAGINE  IT’S  August  2020.  A  powerful  The  scenario  is  described  in  a  report  by 

and  rising  China  wants  to  bring  the  Christopher  Bronk,  a  former  U.S.  diplomat 

city-state  of  Singapore  into  its  fold  like  and  an  IT  policy  specialist  at  Rice  Uni- 

it  has  with  Hong  Kong.  Before  the  first  versify  s  Baker  Institute.  The  report  was 


response  times  of  no  more  than  100 
milliseconds. 

The  IT  group  plans  to  deliver  desk¬ 
top  virtualization  in  June,  followed  by 
infrastructure  as  a  service.  SITA  also 
plans  to  offer  software  as  a  service: 
available  applications  will  include  its 
baggage  management  system. 

The  cloud  could  help  SITA  and  the 
air  transportation  industry  cut  costs 


YOUR  BUSINESS  IS  UNIQUE. 

YOUR  PATH  TO  CLOUD  SHOULD  BE,  TOO. 


Move  beyond. 
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IT  Leader  Builds  a  Know-how  Network 


D  build  an  enterprise  “know-how  plat¬ 
form”  so  that  1.6  million  employees 

job  of  selling  chicken,  pizza  and  tacos. 

Oliver  is  vice  president  of  global  IT  at  Yum 
Brands,  the  $u  billion  owner  of  the  KFC, 
Pizza  Hut  and  Taco  Bell  restaurant  chains. 

In  a  highly  competitive  business.  Yum  has 
to  continually  generate  profitable  new  ideas  for 
domestic  and  international  markets.  Oliver  said 
in  an  interview  that  he  has  a  four-point  IT  strat¬ 
egy  fra:  getting  employees  at  his  “very  spread-out 
global  company”  to  break  out  of  silos  and  share 
know-how.  It  includes  the  following  elements: 

■  An  internal  social  network,  called 
iChing,  based  on  the  Jive  software  platform. 
Employees  use  the  network  to  post  docu¬ 
ments,  ask  questions,  collaborate  and  lean) 
about  successful  strategies  in  other  areas. 

■  Enterprise  search  technology  from  Coveo 
layered  on  top  of  iChing  and  other  data  reposi¬ 
tories  This  provides  a  user-friendly  tool  that 


employees  use  to  glean  insights  from  unstruc¬ 
tured  and  structured  data.  In  essence,  the  search 
technology  stitches  together  multiple  informa¬ 
tion  sources  without  expensive  data  integration. 

■  A  Saba  online  learning  system  that  lets 
employees  across  the  planet  participate  in 
training  and  webinars  in  several  languages, 
eliminating  the  need  for  trips  to  the  U.S. 

■  A  high-definition  Tandberg  videoconfer¬ 
encing  system  that  lets  employees  have  virtual 
meetings  so  they  don’t  have  to  travel  as  much. 

Krushers,  a  slushy  drink  that  tested  well 
in  Australia,  is  an  example  of  an  innovation 
that  the  new  platform  helped  nurture,  said 
Oliver.  The  concept  was  posted  on  the  iChing 
network,  which  led  to  other  markets  rolling  it 
out  quickly  and  with  great  success,  he  said. 

The  next  step,  now  in  beta,  could  be  using 
the  Coveo  search  capability  to  pull  informa¬ 
tion  from  various  systems  to  provide  a  consoli¬ 
dated,  360-degree  view  of  each  employee  and 
present  it  to  managers  in  a  single  dashboard. 

-  Mitch  Bens 


'Activity  streams  have  been 
around  a  while  as  a  concept  but  are 
getting  a  bump  in  interest,"  noted 
Gartner  analyst  Craig  Roth  in  a  blog 
post  last  month.  "IBM  talked  them 
up  at  Lotusphere  2011.  Microsoft 
added  an  ActivityManager  in  Share- 
’  Point  2010."  One  vendor.  SocialCast, 
views  an  activity  stream  as  a  corpo¬ 
rate  "central  nervous  system"  that 
enhances  collaboration. 

But  Roth  said  he  envisions  an  over¬ 
whelming  series  of  updates  from 
customer  relationship  management 
systems  Dim  just  hit  his  sales  quo¬ 
ta"),  content  management  systems 
("Presentation  AugConfv2.pptx  was 
added"),  social  networks  ("Jackie 
commented  on  Susan's  photo"), 
and  project  planning  systems  (Task 
’Get  buy-in  from  VPs'  is  now  2  days 

"The  resulting  deluge  of  status 
updates  may  give  activity  streams 
a  bad  name."  Roth  said.  He  urged 
vendors  to  include  alerts,  filters  and 
recommendation  engines  so  end 
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SOLVED. 


We  get  the  devil  is  in  the  details.  Well  sort  through  the  latest  software  versions,  simplify 
licensing  agreements,  even  tell  you  when  you  don't  have  to  upgrade  at  all.  And  our 
partnership  with  Adobe  brings  you  the  unique  software  solutions  you  need  to  create  and 
deliver  compelling  content.  So  your  upgrades  bring  results,  not  nightmares. 

Salvation  awaits  at  CDW.com/adobe 
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Top  Tech  Vendors 
Renew  Cloud  Push 

IBM,  Dell  and  HP  unveil  tools  aimed  at  convincing 
IT  execs  that  cloud  services  can  be  secure  and  reliable. 
By  James  Niccolai  and  Patrick  Thibodeau 


There's  nothing  about  the  attributes  [of  cloud  services]  that  you  can't  implement 
inside  a  business. 
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The  power  to  do  more 


vStart  virtualization  from  Dell. 


It  realty  is  that  simple.  vStart  from  Dell  takes  the  complexity  and  time  out  of 
virtualizing  your  enterprise  by  delivering  if  at  the  push  of  a  button.  Pre -configured 
servers,  storage,  networking  and  VMware  software  managed  via  a  single  console 
can  be  deployed  in  hours  not  days.  And  it's  just  as  simple  to  find  out  more  by 
going  to  www.dell.com/vstart  or  join  the  conversation  at  #vstart  on  Twitter 

Efficient  Enterprises  do  more  with  Dell. 

dell.com/vstart 


ALL  YOU  HAVE  TO  DO 
IS  PUSH  THE  ‘ON’  BUTTON. 
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boards  and  their  power  supplies. 

Facebook  and  its  Open  Compute  Project 
partners  —  Advanced  Micro  Devices,  Intel 
and  Quanta  —  have  been  tweaking  and 
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Facebook  Reveals  Its 
Data  Center  Secrets 

The  social  networking  leader  shows  why  its  new  Oregon 
data  center  is  said  to  be  one  of  the  most  efficient  in  the 
world.  By  Robert  McMillan  and  Sharon  Gaudin 


space,  Skype  and  Zynga  to  build -lighter, 
cooler  systems  that  are  easy  to  repair. 

“These  servers  are  38%  more  efficient 
than  the  servers  we  were  buying  previ¬ 
ously,”  said  Jonathan  Heiliger,  vice  presi- 


measurement  for  data  center  efficiency. 
The  Prineville  facility’s  1.07  rating  is  well 
below  the  industry  average  of  around 
1.5,  meaning  it  is  far  more  efficient  than 
most  data  centers. 

Facebook  s  custom  servers  are  about 
6  pounds  lighter  than  typical  rack¬ 
mounted  systems,  but  they’re  thicker. 
While  most  server  racks  are  1U  (1.75 
in.)  thick,  Facebook’s  are  about  1.5U, 
so  engineers  can  squeeze  in  taller  heat 
sinks  with  more  surface  area  and  larger, 
more  efficient  fans.  That  means  less  air 
has  to  be  pumped  through  the  servers  to 
cool  them. 


ACEBOOK  this  month  revealed  some  of  the  secrets 
behind  its  new  next-generation  data  center,  an  IT  facility 
in  rural  Prineville,  Ore.,  that  some  experts  say  is  one  of 
the  world’s  most  efficient.  . 

As  part  of  the  company’s  Open  Compute  Project, 
Facebook  officials  released  specifications  for  the  data  center’s 
custom-built  rack-mounted  servers,  which  they  said  weigh  less 
and  use  more-efficient  power  systems  than  most  others  do.  The 
company  also  disclosed  its  methods  for  cooling  racks  of  servers 
without  air  conditioning. 

The  technical  details  are  posted  on  the  OpenCompute.org 
website  hosted  by  Oregon  State  University’s  Open  Source  Lab. 

The  site  explains  the  design  of  the  server  chassis  and  lists 
the  specifications  for  the  components  used  in  the  systems, 
including  their  AMD  Opteron-  and  Intel  Xeon-based  mother- 


“ We’re  not  selling  anything  today,  but  we  do  hope  to  benefit 
from  this  —  primarily  in  the  area  of  accelerating  innovation,” 
said  Frank  Frankovsky,  director  of  hardware  design  at  Facebook. 

Prineville’s  central  Oregon  location  should  help  in  Face- 
book’s  energy-saving  efforts.  City  Manager  Steve  Forrester  told 
Computerworld  earlier  this  year.  The  city  sits  on  a  plateau  at  an 
elevation  of  2,860  feet,  where  it’s  possible  to  use  outside  air  to  cool 
systems  for  more  than  half  of  the  year,  Heiliger  said  in  a  blog  post. 

Zeus  Kerravala,  an  analyst  at  Yankee  Group,  said  the  fact  that 
Facebook  has  enough  clout  to  drive  hardware  innovation  says  a  lot 
about  how  far  the  company  —  and  the  social  networking  sector  . 
in  general  —  have  come.  “If  anybody  still  doubted  the  validity  of 
social  networking,”  he  noted,  “this  kind  of  takes  care  of  that.”  ♦ 
McMillan  is  a  reporter  for  the  IDG  News  Service.  Computerworld  s 
Patrick  Thibodeau  contributed  to  this  story. 


We’re  not  selling  anything  today,  but  we  do  hope  to  benefit  from  this  -  primarily  in  the 
area  of  accelerating  innovation. 
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Elfering 

A  global  view  helps 
this  IT  leader  read 
cultural  differences 
in  diverse  teams. 

what  futuristic  technology  would 
you  love  to  see  become  reality? 

More  intuitive  user  interfaces. 
What  did  you  want  to  he  when  you 
were  in  high  school?  I  was  always 
fascinated  by  technology.  Literally  I 
wanted  to  become  a  rocket  scientist. 
But  I  started  my  own  company  at  16. 
What  new  place  would  you  like  to 
visit?  Although  I'm  doing  a  project 
in  Nigeria.  I've  never  set  foot  in 
Africa;  that’s  on  my  list  to  change  in 
the  not-too-distant  future. 

Best  piece  of  advice  you’ve 
ever  gotten;  There  are  two.  Hug 
your  problems,  because  they're 
opportunities  for  improvement.  And 
you  can  change  only  yourself,  but 
you  control  that  100%. 


INGO  ELFERING  talks  a  lot  about  opportunities.  That’s  not  surprising,  considering 
he  has  built  his  career  on  developing  transformative  uses  for  IT.  In  1987  he  founded 
his  own  company,  MedicalData  Service,  which  developed  software  for  the  medical 
community.  SmithKline  Beecham  bought  Elforing's  company  in  1997  and  hired  him 
as  part  of  the  deal.  A  native  of  Germany,  he  came  to  the  U.S.  with  his  wife  in  2000  when  a 
merger  created  GlaxoSmithKline.  Last  November,  Elfering  became  vice  president  of  business 

German  citizenship  and  was  named  one  o/Computerworld's  2010  Premier  too  IT  Leaders. 

You  describe  yourself  as  “an  innovator  and  change  agent.”  How  do  those  characteris¬ 
tics  show  in  your  day-to-day  job?  We  do  these  big  projects  around  innovative  things,  or 
big  programs  that  take  years  to  accomplish  or  are  global  in  scale,  so  you  have  to  drive 

Continued  on  page  14 
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Now  we're  talking  private  cloud. 

Windows  Server  is  changing 
the  conversation. 


Windows  Server  Hyper-V  and  System  Center  let  you  manage  your  infrastructure  as  a  private  cloud: 
a  pool  of  computing  resources  that  lets  you  allocate  computing  power  to  your  applications  as  your 
business  requires.  And  Microsoft  provides  common  management,  identity  and  development  tools 
that  work  across  your  infrastructure.  End-to-end  control.  Agility  beyond  virtualization. 

That's  Cloud  Power. 


Find  out  more  about  our  private  cloud  solutions. 

Microsoft.com/cloud/privatecloud 

Text  C0MP2  to  70700*  or  scan  our  tag. 


a  1  Windows  Server 
Hyper-V 
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Continued  from  page  10 
change,  but  more  im¬ 
portant  to  me  is  to  be 
open  every  day  and 
look  externally.  Bring 
innovation  in  every¬ 
thing  you  do,  not  just 
the  big  projects.  Scan 
the  market  externally 
in  your  own  Geld,  but 
also  in  other  busi¬ 
nesses.  Opportunities 
can  come  bom  the 
strangest  places.  I 
was  reading  about 
mobile  phones  and 
banking  in  Africa, 
and  a  little  while  later 
we  started  [a  project 
using  mobile  phones] 
in  Nigeria.  People 
buy  our  products 
and  they  scratch  off 
something  on  the 
side  of  the  box,  and 
they  see  a  number 
that  they  can  text  to  a 
service  center  for  us, 
and  we  can  track  that 
number  and  show  it’s 
unique  and  that  the 
product  is  produced 
by  us.  It’s  a  great 

patients  that  what 
they’re  getting  is 
genuine  medication. 


You're  in  a  very  specific  industry.  Do  you  think  CIOs 


U  If  you  can 

translate  what 
the  business 
opportunities 
are  and  how  IT  can  support 
that,  that’s  where  people  can 
make  the  real  difference. 


working  in  specialized  fields?  it  helps  a  little  bit,  but 
more  important  is  the  ability  to  embrace  change.  I 
think  your  ability  to  learn  is  more  important  than  spe¬ 
cific  industry  knowledge,  and  a  part  of  that  is  because 
your  knowledge,  particularly  in  IT,  can  change  very 
quickly.  There  is  something  about  the  speed  of  innova¬ 
tion  that's  particularly  important  in  IT.  You  have  to 
continue  your  education  and  stay  up  to  date  and  find 
new  innovations  and  opportunities.  When  you  do  that, 
you  really  have  something  to  contribute  to  the  busi¬ 
ness.  If  you  can  translate  what  the  business  opportu¬ 
nities  are  and  how  IT  can  support  that,  that’s  where 
people  can  make  the  real  difference. 

So  many  companies,  even  small  ones,  are  global 


and  the  global  scale,  they  do  bring  their  own  specific 
challenges,  like  how  do  you  make  something  comply 
to  different  privacy  regulations  around  the  world  and 
be  in  compliance  with  all  of  them? 

But  I  think  in  the  project  environment,  the  more 

challenging  aspect  is  the  cultural  differences.  If  you 

have  a  team  spread  out  across  four  or  five  different 
locations,  you  can’t  just  walk  down  the  hall  anymore 
and  talk  to  somebody  or  get  everybody  into  a  huddle 
in  the  morning.  And  even  if  everyone  speaks  English, 
they  might  not  talk  about  the  same  thing.  We  had  a 
meeting  where  there  was  a  lot  of  confusion  about  what 
we  meant  by  4  word.  We  spent  half  an  hour  explaining 
what  the  word  was  and  our  meaning  around  it. 

What  was  the  word?  Sourcing. 

So  how  do  you  deal  with  cultural  differences  in  a 
global  team?  I  have  a  personal  benefit.  I’ve  worked 
long  enough  in  the  U.S.,  and  I’m  German,  and  I’ve 
worked  in  nearly  every  European  country,  so  I’m 
more  attuned  to  the  cultural  differences.  And  what 
my  experience  taught  me  is  you  have  to  have  that 
internal  awareness,  and  ask  lots  of  questions  and  be 
someone  who  teases  out  these  differences  and  says, 
“This  is  what  I  think  you’re  talking  about,”  or,  “There 
might  be  an  understanding  gap  here.”  That  really 
becomes  helpful  for  teams. 

Sounds  like  this  is  helpful  for  all  teams,  not  just 
ones  from  diverse  locales.  Absolutely.  My  sourcing 
example  was  with  people  from  the  U.S.  and  U.K. 

They  all  spoke  English.  But  there  were  at  least  six 
different  definitions  of  what  sourcing  means.  I  some¬ 
times  joke  about  this  because  when  you  only  have  a 
hammer,  everything  looks  like  a  nail,  and  you  have 
to  understand  when  you’re  looking  at  a  nail  or  when 
you’re  looking  at  a  screw.  You  have  to  train  yourself 
to  constantly  have  that  awareness.  You  have  to  always 
ask  questions,  and  you  can  come  down  to  a  deep  un¬ 
derstanding  of  what's  really  meant  or  why  something 
is  really  happening. 

You’ve  talked  about  driving  change  during  this 
recession.  What  about  driving  change  in  a  good 
economy?  In  good  times,  you  should  have  even  more 
of  a  desire  to  drive  and  implement  change  because 
you  are  less  forced  and  maybe  have  an  opportunity 
to  invest.  You  might  have  some  upward  pressure  and 
growth  you  can  build  on.  I've  seen  the  need  to  in¬ 
novate  and  change  constantly.  So  it’s  not  a  question  of 
when;  it’s  how.  The  tools  might  vary  slightly  whether 
it’s  an  upturn  or  downturn,  but  technology  changes 
and  innovation  keeps  happening,  and  you  should  be 
driving  that  and  driving  it  forward,  and  you  do  it  all 
the  time. 

—  Interview  by  Computerworld  contributing  writer 
Mary  K.  Pratt  (maryfepratt@veriron.net) 
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SJ.VAUGHAN-NI 


Google's  Blunder 


Google  says  it 
won’t  release 
Android  3.0, 
Honeycomb, 
until  it  has  made 
it ‘better.’ This 
has  ticked  off 
pretty  much  ev¬ 
ery  open-source 
professional. 


Steven  J.  Vaughan- 
Nichols  has  been 
writing  about 
technology  and  the 
business  of  technology 
since  CP/M-80  was 
cutting-edge  and 
300bps  was  a  fast 
Internet  connection  - 
and  we  liked  it! 

He  can  be  reached  at 
sjvn9vnal.com. 


I  DON’T  SAY  THIS  VERY  OFTEN,  but  some  days  Google  is  stupid.  Until 
recently,  Google’s  biggest  blunder  was  Google  Wave.  But  now  Google 
has  announced  that  it  won’t  release  Android  3.0,  the  tablet  version  of 
its  mobile  operating  system,  until  it  has  made  it  “better.” 


In  a  statement,  Andy  Rubin,  bead  of  Google's 
Android  group,  said,  “Android  3.0,  Honeycomb, 
was  designed  from  the  ground  up  for  devices  with 
larger  screen  sizes  and  improves  on  Android  fa¬ 
vorites.  . . .  While  we’re  excited  to  offer  these  new 
features  to  Android  tablets,  we  have  more  work 
to  do  before  we  can  deliver  them  to  other  device 
types,  including  phones."  In  other  words,  Google 
will  release  the  Honeycomb  source  code  as  soon 
as  it’s  ready.  Just  don’t  ask  when  that  will  be. 

This  has  ticked  off  pretty  much  every  open- 
source  professional  out  there.  Android  is  under 
the  open-source  Apache  Software  License  2.0, 
which  requires  that  the  source  code  be  released 
when  the  executable  programs  are  released.  That 
usually  means  they’re  released  together.  But  the 
license  doesn’t  insist  on  that. 

Historically,  Google  has  played  games  with  the 
ASL's  terms  by  letting  big  hardware  manufactur¬ 
ers,  such  as  HTC,  Motorola  and  Sony,  have  an 
early  look  at  Android  source  code.  Smaller  vendors, 
developers  and  open-source  purists  have  been 
unhappy  with  that  “some  animals  are  more  equal 
than  others"  approach  in  the  past,  and  now  Google 
is  stretching  the  gap  between  private  release  and  an 
open-source  release  even  further.  Some  would  say 
it  has  stretched  the  gap  to  the  breaking  point. 

I  know  Google  doesn’t  want  vendors  rushing 
half-baked  Honeycomb  tablets  out  to  the  public. 
But  you  know  what?  I'd  rather  see  tiny  companies 
trying  to  make  a  fast  buck  by  selling  not-ready-for- 
public-consumption  tablets  than  a  big  company 
playing  games  with  open-source  Ucensing. 

Google  already  has  enough  intellectual  property 
troubles,  with  Oracle  suing  over  Java,  Microsoft 
creeping  toward  a  suit,  and  an  assortment  of  open- 


source-related  copyright  claims.  Does  it  really 
need  to  alienate  the  programmers?  I  think  not. 

What  really  troubles  me,  though,  isn't  Google 
playing  fast  and  loose  with  the  ASL.  No,  what 
bugs  me  about  this,  and  what  makes  it  one  of 
Google's  all-time  dumb  moves,  is  that  the  whole 
point  of  open  source  is  that  you  might  make  your 
life  easier  by  sharing  the  code.  Right  now,  all  of 
Honeycomb's  development  rests  on  a  relative 
handfol  of  in-house  Honeycomb  developers.  The 
big  OEM  developers  will  be  spending  their  time 
adding  gewgaws  to  the  base  code.  They're  not 
going  to  help  get  Honeycomb  out  the  door. 

By  turning  its  back  on  open  source,  Google  is 
not  only  harming  and  annoying  other  Android 
developers.  It’s  also  hurting  its  own  operating 
system,  and  its  own  future. 

I  don’t  know  who  came  up  with  this  idea  at 
Google,  but  I  do  know  he  was  an  idiot.  In  2011, 
even  Microsoft,  enemy  of  all  things  open,  has  re¬ 
alized  the  worth  of  open  source  as  a  development 
method.  Google  itself  rests  on  Linux.  To  decide 
that  turning  the  developer  dock  back  20  years  is 
the  right  move  strikes  roe  as  foolish  beyond  belief. 

Even  so,  since  Apple  has  shown  no  interest  in  the 

else  is  really  ready  to  enter  them.  I'm  sure  Honey¬ 
comb  will  be  a  success.  I’m  also  sure  it  will  be  filled 
with  more  bugs  than  it  would  have  been  if  Google 
had  kept  the  code  open.  If  Google  continues  on  this 
path,  Android  may  eventually  face  real  challenges 
from  webOS,  Windows  Phone  8  or  even  Windows  8. 

1  can  only  hope  Google  realizes  the  error  of  its  ways 
—  for  its  own  sake,  if  not  for  the  sake  of  its  smaller 
developer  partners  and  customers  —  in  time  to 
keep  Android  a  top  mobile  operating  system.  • 
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More  Bang,  Fewer  Bucks 

A  government  IT  executive  explains  how  technologies 
such  as  virtualization  and  cloud  computing  are  stretching 
tight  IT  budgets. 


Located  due  west  of  Washington  D.C.,  Fairfax 
County,  Va.  is  one  of  the  largest  counties  in 
the  United  States,  with  more  than  1  million 


ees-and  a  drum-tight  IT  budget.  We  asked 
Jeff  Porter,  the  county's  director  of  platform 
technologies,  to  share  his  thoughts  on  strate¬ 
gies  for  doing  more  without  spending  more. 

Everyone  faces  budget  pressures  these 
days.  How  can  virtualization  help  in 
addressing  them? 

Uke  many  o there  state  and  local  govern¬ 
ments,  we’ve  seen  revenues  decline  in 
recent  years  and  demand  for  services  go  up. 
So  we’ve  had  to  find  innovative  ways  to  get 
much  more  efficient.  Virtualization  has  been 
one  of  our  most  successful  strategies.  Using 
virtualization,  we’ve  consolidated  600  physi¬ 
cal  servers  down  to  just  12.  That’s  helped  us 
drastically  cut  hardware  spending  and  main- 


due  to  heavy  snowfall,  a  flu  epidemic  or 
some  other  emergency.  Those  are  actually 
the  times  when  people  need  us  most  Using 
desktop  virtualization,  we’ve  made  it  much 
easier  for  county  employees  to  work  from 
home,  so  they  can  continue  serving  citizens 
even  when  they  can’t  make  it  into  the  office 
for  some  reason.  In  fact,  we’ve  made  it  so  easy 
to  work  from  home  that  lots  of  people  are  do¬ 
ing  that  even  when  there’s  no  emergency  We 
call  them  “day  extenders,”  because  they  use  a 
virtual  desktop  to  sneak  in  a  few  extra  hours 
of  work  after  dinner  or  on  the  weekend. 

What  role  can  cloud  computing  play  in 
stretching  an  it  budget? 

Fairfax  County  is 400 square  miles  in  size,  and 
sometimes  sending  a  technician  out  to  install 
or  remove  desktop  software  takes  too  long.  So 
we’re  using  an  internal  cloud  infrastructure  to 
power  a  software- as-a-service  (SaaS)  environ- 


“  We’ve  taken  $2.5  million  a  year  that  used  to  fund  new 
hardware  purchases  and  reallocated  it  to  funding  innova¬ 
tive  new  services  instead.  That’s  more  than  just  a  win  for 
IT.  It’s  a  win  for  the  entire  county” 


tenance  overhead,  because  we  don’t  have  as 
many  physical  devices  to  manage.  In  fact, 
we  expect  to  save  roughly  $3  million  just  on 
server  procurement  over  the  next  two  years, 
and  about  another  $200,000  on  energy.  Also, 
virtualizing  our  desktops  has  enabled  us  to 
extend  the  life  of  our  PCs.  As  a  result,  we’ve 
taken  $2.5  million  a  year  that  used  to  fund 
new  hardware  purchases  and  reallocated  it 
to  funding  innovative  new  services  instead. 
That's  more  than  just  a  win  for  IT.  It’s  a  win 
for  the  entire  county. 

tion.  but  does  virtualization  contribute  to 
productivity  as  well? 

It  certainly  has  in  our  case.  Unlike  private 
businesses,  governments  can’t  close  up  shop 


ment.  County  employees  who  need  a  new 
application  can  now  file  a  request  online.  If 
their  boss  approves  it,  they  can  then  complete 
the  installation  on  their  own.  We’re  also  doing 
this  for  operating  systems.  We  run  mostly 
Windows  XP  at  present,  but  if  someone  wants 
to  upgrade  to  Windows  7,  they  can  do  that  on 
their  own  via  the  internal  cloud. 

How  do  you  keep  all  of  that  secure? 

Very  few  of  our  end  users  have  administrator 
rights  to  their  machine,  so  the  only  way  they 
can  add  new  software  is  through  our  online 
self-service  environment.  That  enables  us  to 
monitor  new  installations  and  keep  the  entire 
process  safely  inside  our  firewall  So  we  get 
better  efficiency  and  better  security  in  one 
package.  It’s  the  best  of  both  worlds. 


for  an 

unparalleled  experience  for  everything  from 
applications  to  rich  media.  That's  the  power  of  virtual 
computing  at  work.  And  everywhere  else,  too. 

Simplicity  is  power.  Citrix. 
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WHEN  TRUSTED  IT  PROS  GO 

P4S> 


I 


i  call  from  the  Business  Software 
saying  that  some  of  the  software  your  company  uses  might 

You  investigate  and  find  that  not  only  is  your  software  illegal,  it 
as  sold  to  you  by  a  company  secretly  owned  and  operated  by  none 
other  than  your  own  IT  systems  administrator,  who's  been  a  trusted 
employee  for  seven  years.  When  you  sta 


I  activities,  you  find  a  for-pay  porn  website  he’s  been  running  on  one  of 
your  corporate  servers.  Then  you  find  that  he's  downloaded  400  customer  credit 
card  numbers  from  your  e-commerce  server. 

And  here’s  the  worst  part:  He’s  the  only  one  with  the  administrative  passwords. 

Think  it  can’t  happen?  It  did,  according  to  a  security  consultant  who  was 
called  in  to  help  the  victim,  a  $250  million  retailer  in  Pennsylvania.  You  never 
heard  about  it  because  the  company  kept  it  quiet. 

Despite  the  occasional  headlines  about  IT  folks  gone  rogue,  m 
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report,  which  analyzes  more  than  250  cases.  ^ 

CERT  says  the  most  common  mistakes  ? 

include  failing  to  vet  job  applicants  thor-  »“4  f*  S? 

oughly.  neglecting  to  adequately  monitor  the  fjj|  ,  • 

process  of  granting  access  privileges,  and  4'wH!  ' 

overlooking  red  flags  in  behavior.  li  <Bt  *  ' 

But  the  threats  posed  by  privilege-  J  ^ 

laden  IT  employees  are  especially  hard  to 
recognize.  For  one  thing,  staffers'  nefarious 

duties.  IT  employees  routinely  “edit  and  , 

write  scripts,  edit  code  and  write  programs.  ^  2’  hr 

Cappelli  says.  They  know  w  here  your  secu-  1 

rity  is  weakest  and  how  to  cover  their  tracks. 

Victimized  companies  typically  won't 

but  security  consultants  who  help  dean  up  the  messes 
rtimes  do.  We  talked  to  three  security  pros  who  shared  these 
ning  tales  of  rogue  IT  employees. 


pirating  Software  -  and  Worse 

The  Pennsylvania  retailer’s  tale  of  woe  began  in  early  2008, 
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Continued  from  page  20 

Ed  landed  in  California,  “the  COO  was  there  to  meet  him.  He 
was  fired  on  the  spot." 

THE  COST:  Linkous  estimates  that  the  incident  cost  the 
company  a  total  of  $250,000  to  $300,000,  which  includes  Sa- 
bera's  fee,  the  cost  of  flying  Ed  to  the  West  Coast  on  short  notice, 
the  cost  of  litigation  against  Ed,  the  costs  associated  with  hiring  a 
temporary  network  administrator  and  a  new  CIO,  and  the  cost  of 
making  all  of  the  company's  software  licenses  legitimate. 

PREVEMTIVE  MEASURES:  What  could  have  prevented  this 
disaster?  Obviously,  at  least  one  other  person  should  have  known 
the  passwords.  But  more  significant  was  the  lack  of  separation  of 
duties.  The  retailer  had  a  small  IT  staff  (just  six  employees),  so  Ed 
was  entrusted  with  both  administrative  and  security  responsibili¬ 
ties.  That  meant  he  was  monitoring  himself. 

Separating  duties  can  be  a  particularly  tough  challenge  for 
companies  with  small  IT  staffs,  Linkous  acknowledges.  He  sug¬ 
gests  that  small  companies  monitor  everything,  including  logs, 
network  traffic  and  system  configuration  changes,  and  have  the 
results  evaluated  by  someone  other  than  the  systems  administra¬ 
tor  and  his  direct  reports.  Most  important,  he  says,  is  letting  IT 
people  know  that  they  are  being  watched. 

Second,  the  company  failed  to  do  a  thorough  background 
check  when  it  hired  Ed.  In  CERT's  research,  30%  of  the  insiders 
who  committed  IT  sabotage  had  a  previous  arrest.  In  feet,  any 
kind  of  false  credentials  should  raise  a  red  flag.  Although  the 
company  had  done  a  criminal  background  check  on  Ed  (which 
was  cleafl),  it  did  not  verify  the  credentials  on  his  resume,  some 
of  which  were  later  found  to  be  fraudulent.  (He  did  not,  for 
example,  have  the  MBA  that  he  claimed  to  have.) 

Third,  Ed’s  personality  could  have  been  viewed  as  a  red  flag. 
“He  seemed  to  believe  that  he  was  smarter  than  everyone  else  in 
the  room,"  says  Linkous,  who  met  Ed  face-to-face  by  posing  as  an 
ERP  vendor  before  the  sting  operation.  Ed’s  arrogance  reminded 
Linkous  of  the  infamous  Enron  executives.  “He  was  extremely 
confident,  cocky  and  very  dismissive  of  other  people." 

CERT  has  found  that  rogues  often  have  prickly  personalities. 
“We  don’t  have  any  cases  where,  after  the  fact,  people  said,  'I 
can’t  believe  it  —  he  was  such  a  nice  guy,' "  says  Cappelli. 

Outsourcing  Incenses  Employee 

“Sally,"  a  systems  administrator  and  a  database  manager,  had 
been  with  a  Fortune  500  consumer  products  company  for  10 
years  and  was  one  of  its  most  trusted  and  capable  IT  workers, 
according  to  Larry  Ponemon,  founder  and  chairman  of  the 
Ponemon  Institute,  an  IT  security  research  firm. 

She  was  known  as  a  pinch  hitter  —  someone  who  was  able  to 
help  solve  all  kinds  of  problems.  For  that  reason,  she  had  accumu¬ 
lated  many  high-level  network  privileges  that  went  beyond  what 
her  job  required.  "There  is  this  tendency  to  give  these  people  more 
privileges  than  they  need  because  you  never  know  when  they'll 
need  to  be  helping  someone  else  out,”  says  Ponemon. 

She  sometimes  worked  from  home,  taking  her  laptop,  which 
was  configured  with  those  high-level  privileges.  The  company’s 
culture  was  such  that  IT  stars  like  Sally  were  given  special  treat¬ 
ment,  says  Ponemon.  “The  IT  people  made  an  end-run  around 
certain  policies,”  he  says.  “They  could  decide  what  tools  they 
wanted  on  their  systems." 

But  when  the  corporation  decided  to  outsource  most  of  its 


IT  operations  to  India,  Sally  didn't  feel  so  special.  Although 
the  company  had  not  yet  formally  notified  the  IT  staff,  says 
Ponemon,  it  was  obvious  to  IT  insiders  that  time  was  running  out 
for  most  of  the  department’s  employees. 

Sally  wanted  revenge.  So  she  planted  logic  bombs  that  caused 
entire  racks  of  servers  to  crash  once  she  was  gone. 

At  first,  the  company  had  no  clue  what  was  going  on.  It  switched 
to  its  redundant  servers,  but  Sally  had  planted  bombs  in  those  as 
welL  The  company  had  a  hard  time  containing  the  damage  because 
it  didn’t  follow  any  apparent  rhyme  or  reason.  “A  malicious  em¬ 
ployee  [who's]  angry  can  do  a  lot  of  damage  in  a  way  that's  hard  to 
discover  immediately  and  hard  to  trace  later,"  Ponemon  notes. 

Eventually,  they  traced  the  sabotage  to  Sally  and  confronted 
her.  In  return  for  Sally’s  agreement  to  help  fix  the  systems,  the 
company  did  not  prosecute  her.  In  addition,  Sally  had  to  agree 
never  to  talk  publicly  about  the  incident  “They  didn’t  want  her 
going  on  Oprah  and  talking  about  how  she  broke  the  backbone  of 
a  Fortune  500  company,"  says  Ponemon. 

A  Rogue  IT  Gallery 


The  threat  from  trusted  insiders  is  real,  rr  1 


2011:  A  software  engineer  at  British  Airways  was  found 
guilty  of  using  his  position  to  plan  a  terrorist  attack  on 
behalf  of  a  Yemen-based  radical  cleric. 


2010:  An  IT  employee  at  Bank  of  America  pleaded 

guilty  to  charges  that  he  hacked  the  bank’s  ATMs  to 

dispense  cash  without  recording  the  activity. 

2010:  A  contract  programmer  who  was  fired  by  Fannie 
Mae  was  convicted  of  planting  malicious  code  that  was 
set  to  destroy  all  data  on  the  organization's  nearly  5,000 

2010:  A  Goldman  Sachs  programmer  was  found  guilty 

of  stealing  computer  code  for  high-frequency  trading 

from  the  investment  bank  when  he  left  to  join  a  startup. 

2010:  A  Utah  computer  contractor  pleaded  guilty  to 
stealing  about  $2  million  from  four  credit  unions  that 
he  performed  IT  services  for. 

2008:  A  systems  administrator  at  Medco  Health  Solu¬ 
tions  who  was  worried  about  layoffs  planted  a  logic 
bomb  that  would  have  deleted  prescription  data  from 
Medco's  network. 

2006:  A  systems  administrator  at  UBS  PaineWebber 
who  was  disgruntled  with  his  pay  and  bonuses  was  found 
guilty  of  planting  a  logic  bomb  that  affected  about 
1,000  company  computers  and  caused  about  $3  million 
worth  of  damages. 
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THE  COST:  The  estimated  total  cost  to 
the  company:  $7  million,  which  includes 
$5  million  in  opportunity  costs  (down¬ 
time,  disruption  to  business  and  potential 
loss  of  customers)  and  $2  million  in  fees 
for  forensics  and  security  consultants, 
among  other  things. 

PREVENTIVE  MEASURES:  What  did  the 
company  do  wrong?  first,  the  incident  is 
a  classic  example  of  "privilege  escalation," 
which  is  what  happens  when  privileges  are 
granted  to  an  individual  to  handle  a  specific 
task  but  are  not  revoked  when  the  person 
no  longer  needs  them,  says  Ponemon. 

Second,  an  entitlement  culture  led  to 
no  separation  of  duties  and  very  little  over¬ 
sight  of  IT.  Because  of  that,  management  missed  an  important 
red  flag.  After  the  incident,  the  company  discovered  that  Sally 
had  “lost”  11  laptops  over  the  previous  three  years.  The  help  desk 
staff  was  aware  of  this,  but  no  one  ever  reported  it  to  manage¬ 
ment,  partly  because  of  Sally's  status  in  the  organization.  Nobody 
knows  what  she  did  with  those  laptops;  it  could  be  that  she  was 
just  careless  —  but  “that's  a  problem  in  and  of  itself  if  you're  a 
systems  administrator,"  Ponemon  observes. 

Third,  given  the  tense  atmosphere  created  by  the  outsourcing 
decision,  the  company  should  have  been  more  vigilant  and  more 
proactive  in  monitoring  potentially  angry  employees. 

Even  if  you  haven’t  announced  anything  to  your  employees,  its 
a  mistake  to  think  they  don’t  know  what's  going  on,  says  Ponemon. 
“The  average  rank-and-file  [worker]  knows  within  a  nanosecond 
of  when  the  CEO  signs  the  [outsourcing]  contract,"  he  says.  If  you 
aren't  already  monitoring  your  IT  people,  now  is  the  time  to  start. 
For  best  results,  kick  off  the  program  with  a  very  public  pronounce¬ 
ment  that  you  are  now  monitoring  the  staff. 

According  to  CERT,  many  cases  of  sabotage  are  the  result  of 
a  disgruntled  employee  committing  an  act  of  revenge.  And  such 
acts  can  happen  in  the  blink  of  an  eye,  as  the  next  story  illustrates. 

A  Firing  Gone  Wrong 

When  this  Fortune  too  company  upgraded  its  security,  it  made  a 
nasty  discovery.  One  of  its  senior  system  admins,  who  had  been 
there  at  least  eight  years,  had  surreptitiously  added  a  page  to  the 
company's  e-commerce  website.  If  you  typed  in  the  company 
URL  followed  by  a  certain  string  of  characters,  you  got  to  a  page 
where  this  admin,  whom  we'U  call  “Phil,”  was  doing  a  brisk 
business  selling  pirated  satellite  TV  equipment,  primarily  from 
China,  according  to  Jon  Heimerl,  director  of  strategic  security 
at  Solutionary,  a  managed  security  services  provider  hired  to 
address  the  problem. 

The  good  news:  Improved  security  caught  the  perpetrator.  The 
bad  news:  Management  botched  the  firing  process,  giving  him 
an  opportunity  to  take  a  parting  shot. 

Itself  a  retailer  in  high-tech  equipment,  the  company  wanted 
to  get  rid  of  Phil  and  his  website  as  quickly  as  possible  because  it 

Phil's  manager  and  security  staffers  were  on  their  way  to  his  office, 
a  human  resources  representative  called  Phil  and  told  him  to  stay 
put.  Heimerl  isn’t  sure  exactly  what  the  HR  person  said,  but  it  was 
apparently  enough  for  Phil  to  guess  that  the  jig  was  up. 


Already  logged  in  to  the  corporate 
network,  he  immediately  deleted  the 
corporate  encryption  key  ring.  “As  he 
was  bitting  the  Delete  key,  security  and 
his  manager  showed  up  and  said.  ‘Stop 
what  you're  doing  right  now,  and  step 
away  from  the  terminal,'  “  according  to 
Heimerl.  But  it  was  too  late. 

The  file  held  all  the  encryption  keys  for 
the  company,  including  the  escrow  key  — 
a  master  key  that  allows  the  company  to 
decrypt  any  file  of  any  employee.  Most  em¬ 
ployees  kept  their  own  encryption  keys  on 
their  local  systems.  However,  the  key  ring 
held  the  only  copies  of  encryption  keys 
for  about  25  employees  —  most  of  whom 
worked  in  the  legal  and  contracts  departments  —  and  the  only 
copy  of  the  corporate  encryption  key.  That  meant  that  anything 
those  employees  had  encrypted  in  the  three  years  since  they  had 
started  using  the  encryption  system  was  permanently  indecipher¬ 
able  —  and  thus  virtually  lost  to  them. 

THE  COST:  Heimerl  hasn't  calculated  how  much  money  the 
incident  cost  the  company,  but  he  estimates  that  the  loss  of  the 
key  ring  file  amounted  to  about  :8  person-years  of  lost  productiv¬ 
ity  —  a  figure  that  takes  into  account  both  the  work  that  went 
into  creating  files  that  are  now  permanently  encrypted  and  the 
time  devoted  to  re-creating  materials  from  drafts,  old  emails  and 
other  unencrypted  documents. 

PREVENTIVE  MEASURES:  Focusing  only  on  what  happened 
after  they  discovered  the  rogue  website,  the  company  made  two 
crucial  mistakes,  says  Heimerl.  It  should  have  shut  down  Phil's 
access  immediately  upon  discovering  bis  activities.  But  managers 
also  left  themselves  vulnerable  by  not  keeping  a  secure  backup  of 
critical  corporate  information.  (Ironically,  the  company  thought 
the  key  ring  was  so  sensitive  that  no  copies  should  be  made.) 

The  Best  Defense  is  Multifaceted 

The  overall  lesson  from  these  horror  stories  is  that  no  single 
thing  can  protect  you  from  rogue  IT  people.  You  might  have 
great  technical  security  —  like  the  multitiered  security  system 
that  ultimately  detected  Phil's  unauthorized  website  —  and  yet  a 
simple  mistake  by  HR  can  lead  to  disaster.  Or  there  could  be  big 
red  flags  in  terms  of  behavior  or  personality  that  go  unnoticed  — 
like  Sally’s  missing  laptops. 

tion  that  offers  the  best  protection,  says  CERT's  Cappelli. 

And  yet  it's  hard  to  convince  companies  to  do  both.  Executives 
tend  to  think  such  problems  can  be  solved  with  technology  alone, 
at  least  partly  because  they  hear  vendors  of  monitoring  systems 
and  other  security  products  claiming  that  their  tools  offer  protec¬ 
tion.  “We're  trying  to  figure  out  how  to  get  the  message  to  the 
C-ievel  people  that  this  is  not  just  an  IT  problem.'  Cappelli  says. 

It's  a  difficult  message  to  hear,  and  a  lesson  that  many  compa¬ 
nies  only  learn  the  hard  way.  Even  if  more  companies  were  forth¬ 
coming  with  the  details  of  their  horror  stories,  most  CEOs  would 
still  think  it  could  never  happen  to  them.  Until  it  did.  • 

Harbert  is  a  Washington.  D  C.  based  writer  specializing  in  technology, 
business  and  public  policy.  She  can  be  contacted  through  her  website. 
TamHarbert.com. 


We're  trying  to 
figure  out  how  to  get 
the  message  to  the 
C-level  people  that 
this  is  not  just  an 
IT  problem. 

DAWN  CAPPELLI,  TECHNICAL  MANAGER. 
CERT  INSIDER  THREAT  CENTER 
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Don't  sign  that 
contract  until 
you  consider  five 
red  flags  in  cloud 
service  deals. 

BY  STACY  COLLETT 


Cloud  by  Van  Gogh,  1890 


Cloud  by  SunGard,  2011 


in  secure  computing. 


Building  a  better  cloud  takes  a  revolutionary  approach  to 
virtualization  that  goes  far  beyond  conventional  solutions. 
With  a  resilient  infrastructure  and  robust  security,  SunGard 
provides  maximum  protection  and  a  fully  managed  solution 
that  virtually  eliminates  the  risk  of  failure.  Navigate  the  cloud 
with  confidence  as  it  dynamically  scales  to  meet  your  needs. 
With  leading-edge  technology  and  a  staff  of  accomplished 
professionals,  SunGard  can  help  make  your  next  cloud 
computing  project  a  work  of  art. 


Download  the  white  paper 
"Building  a  Better  Cloud" 
at:  sungardas.com/cloud11 


SUNGARD  AVAILABILITY  SERVICES 


Contract  Clinchers 

Avoid  legal  risks  in  the  cloud  by  drawing  up  a 
contract  that  does  the  following: 


search  warrant  or  subpoena 

security  controls 


e-discovery  requests 


a  new  subcontractor  or  moves  data 
exit  clause  i 


the  data  is  and  maintain  control  of  it  in  the  cloud. 

As  Masur  puts  it:  “You  have  data  moving  all  over  the  world  to 
wherever  [the  cloud  provider]  has  capacity.  It's  not  just  the  provider, 
but  a  whole  web  of  subproviders  and  subcontractors  and  platforms. 
Where  exactly  is  it  at  any  moment  in  time?  How  many  countries 
is  it  hitting  and  thereby  [subject  to]  the 


to  understand  the  legal  requirements  of  jurisdictions  in  which 
the  provider  operates.”  Otherwise,  if  the  cloud  provider  stores 
or  transports  the  customer's  data  in  a  foreign  country,  “the  coi 
sumer  becomes  subject  to  laws  and  regulations  it  may  not  kno 
anything  about,”  the  council  says. 

For  example,  the  European  Union  has  some  of  the  strictest 


PHYSICAL 

VIRTUAL 


TREND  MICRO  IS  #J  IN  SERVER  SECURITY 


Trend  Micro  provides  unmatched  protection  for  servers  wherever  they  are.  According  to  IDC,  a  global  authority 
on  technology  market  trends,  more  companies  use  Trend  Micro  server  security  than  any  other.  Add  to  that  our 
breakthrough  key  management  and  encryption  solution  for  both  public  and  private  clouds,  and  optimized 
protection  for  virtualized  datacenters,  and  it's  easy  to  see  that  Trend  Micro  is  more  than  just  great  security. 
We’re  a  business  advantage. 


»  LEARN  MORE  AT  TRENDMtCRO.COM/CLOKJD 


CLOUD  SERVICES 


Cimtmiicd  from  page  2b 

3  Search  Warrants 

One  of  the  scary  features 
of  public  clouds  is  that  data 
from  multiple  customers 
may  be  kept  on  the  same 
server,  says  Dinkel.  “If  the 
provider  gets  served  by  a  warrant  with 
regard  to  one  customer,  and  a  number  of 
other  customers'  data  happens  to  be  on 
the  same  server,  all  that  data  could  be 


If  there  is  a  breach, 
it's  [the  cloud 
service  provider's] 
responsibility,  not  ours. 

DOUGLAS  MENEFEE, 

SCHUMACHER  GROUP 


Whats  more,  the  opposing  party  can  go 
directly  to  the  cloud  provider  to  find  rel¬ 
evant  records.  "The  data  owner  loses  control 
of  the  situation  at  that  point,"  Dinkel  says. 

Complicating  matters  further,  cloud 
providers  have  different  storage  proce¬ 
dures,  and  if  data  isn’t  mapped  properly,  re¬ 
trieving  it  could  be  difficult  and  expensive. 

When  an  e-discovery  request  lands  at 
your  door,  you  must  be  able  to  produce 
documents  in  a  timely  manner.  If  you 
can't,  you  could  face  heavy  fines  (in  one 


seized  and  become  inaccessible  to  the  company  that  was  not  the 
intended  target  of  the  search,"  she  explains. 

Commingling  of  data  was  a  serious  problem  in  2009.  when  the  FBI 
raided  two  data  centers  in  Texas  as  part  of  an  investigation  involving 
a  specific  data  center  customer.  FBI  agents  seized  about  220  servers, 
as  well  as  routers,  switches,  server  cabinets  and  even  power  strips. 
Press  reports  indicated  that  the  seizure  resulted  in  millions  of  dollars 
in  lost  revenue  for  the  data  center.  It  also  put  many  of  the  data  center's 
customers  out  of  business  or  at  risk  of  closure,  according  to  reports. 

How  do  you  mitigate  such  risks?  A  private  cloud  can  certainly 
eliminate  commingling.  If  that’s  not  an  option,  get  assurances  from 
the  cloud  service  provider  regarding  how  customer  data  is  parti¬ 
tioned,  so  that  a  search  warrant  and  seizure  doesn’t  affect  your  data. 

4  E-discovery 

A  data  owner  who  is  sued  has  an  obligation  to 
preserve  any  information  that’s  relevant  to  the 
litigation  and  to  collect  it  for  legal  discovery  pur¬ 
poses.  The  requirement  to  preserve  data  applies  if 

And  for  cloud  customers  who  own  data,  'it’s  pretty  clear  at  this  point 
that  if  it’s  in  the  cloud,  it’s  still  considered  to  be  in  your  custody, 
control  or  possessfon,  ”  says  Dinkel.  So  if  the  vendor  doesn’t  preserve 
it  or  can’t  produce  data  before  the  discovery  deadline,  then  the  cloud 
user  “can  he  sanctioned  for  that,”  she  says. 


case,  the  proposed  fine  was  $50,000  per  day).  What’s  more,  com¬ 
panies  may  have  to  go  back  three  to  five  years  for  relevant  data 
because  cases  can  take  years  to  reach  the  courts. 

Big  cloud  providers  are  aware  of  the  need  for  prompt  action  on 
e-discovery  requests,  and  they’re  often  able  to  track  and  retrieve  data 
quickly  by  maintaining  the  original  metadata  attached  to  the  records. 

Lawyers  say  cloud  contracts  should  requite  vendors  to  maintain 
metadata  for  easy  retrieval  and  compel  them  to  meet  deadlines  for 
producing  electronic  documents  when  requested. 

5  Data  Security 

Methods  for  protecting  data  in  the  cloud,  such  as 
encryption,  are  well  documented.  But  there  are 
also  risks  associated  with  having  all  of  a  company’s 
records  in  one  location,  where  they  would  provide 
hackers  with  a  tempting  smorgasbord  of  informa¬ 
tion.  Some  cloud  providers  are  already  addressing  that  risk. 

The  security  model  for  Google  Apps,  for  instance,  allows 
stored  data  to  be  separated  at  the  bit  level  and  distributed  to 
multiple  sites  across  the  country.  “We  found  that  intriguing.”  says 
Menefee,  a  Google  Apps  user.  “If  they  had  a  breach,  the  [hacker] 
would  only  have  components,  pieces  of  a  giant  puzzle." 

Another  question:  Who  pays  for  costs  associated  with  a  secu¬ 
rity  breach  in  the  cloud?  “You  want  [the  service  provider]  to  be 
paying  for  it  —  because  it  may  be  something  on  their  end  that 
caused  the  breach,”  says  Dinkel. 
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Continued  from  page  26 

Search  Warrants 

One  of  tbe  scary  features 
of  public  clouds  is  that  data 
from  multiple  customers 
may  be  kept  on  the  same 
server,  says  Dinkel.  "If  the 
provider  gets  served  by  a  warrant  with 
regard  to  one  customer,  and  a  number  of 
other  customers’  data  happens  to  be  on 
the  same  server,  all  that  data  could  be 
seized  and  become  inaccessible  to  the  company  that  was  not  the 
intended  target  of  the  search,”  she  explains. 

Commingling  of  data  was  a  serious  problem  in  2009,  when  the  FBI 
raided  two  data  centers  in  Texas  as  part  of  an  investigation  involving 
a  specific  data  center  customer.  FBI  agents  seized  about  220  servers, 
as  well  as  routers,  switches,  server  cabinets  and  even  power  strips. 
Press  reports  indicated  that  the  seizure  resulted  in  millions  of  dollars 
in  lost  revenue  for  the  data  center.  It  also  put  many  of  the  data  center’s 
customers  out  of  business  or  at  risk  of  closure,  according  to  reports. 

How  do  you  mitigate  such  risks?  A  private  cloud  can  certainly 
eliminate  commingling.  If  that’s  not  an  option,  get  assurances  from 
the  cloud  service  provider  regarding  how  customer  data  is  parti¬ 
tioned,  so  that  a  search  warrant  and  seizure  doesn't  affect  your  data. 

E-discovery 

A  data  owner  who  is  sued  has  an  obligation  to 
preserve  arty  information  that’s  relevant  to  the 
litigation  and  to  collect  it  for  legal  discovery  pur¬ 
poses.  The  requirement  to  preserve  data  applies  if 
the  data  is  in  your  “custody,  control  or  possession.” 
And  for  cloud  customers  who  own  data,  “it’s  pretty  dear  at  this  point 
that  if  it's  in  the  cloud,  it’s  still  considered  to  be  in  your  custody, 
control  or  possession,”  says  Dinkel.  So  if  the  vendor  doesn’t  preserve 
it  or  can’t  produce  data  before  the  discovery  deadline,  then  the  cloud 
user  “can  be  sanctioned  for  that,”  she  says. 


What’s  more,  tbe  opposing  party  can  go 
directly  to  the  cloud  provider  to  find  rel¬ 
evant  records.  “The  data  owner  loses  control 
of  the  situation  at  that  point,”  Dinkel  says. 

Complicating  matters  further,  cloud 
providers  have  different  storage  proce¬ 
dures,  and  if  data  isn’t  mapped  properly,  re¬ 
trieving  it  could  be  difficult  and  expensive. 

When  an  e-discovery  request  lands  at 
your  door,  you  must  be  able  to  produce 
documents  in  a  timely  manner.  If  you 
can't,  you  could  face  heavy  fines  (in  one 
case,  the  proposed  fine  was  $50,000  per  day).  What's  more,  com¬ 
panies  may  have  to  go  back  three  to  five  years  for  relevant  data 
because  cases  can  take  years  to  reach  the  courts. 

Big  cloud  providers  are  aware  of  the  need  for  prompt  action  on 
e-discovery  requests,  and  they're  often  able  to  track  and  retrieve  data 
quickly  by  maintainir^  the  original  metadata  attached  to  the  records. 

Lawyers  say  cloud  contracts  should  require  vendors  to  maintain 
metadata  for  easy  retrieval  and  compel  them  to  meet  deadlines  for 
producing  electronic  documents  when  requested. 

Data  Security 

Methods  for  protecting  data  in  the  cloud,  such  as 
encryption,  are  well  documented.  But  there  are 
also  risks  associated  with  having  all  of  a  company’s 
records  in  one  location,  where  they  would  provide 
hackers  with  a  tempting  smorgasbord  of  informa¬ 
tion.  Some  cloud  providers  are  already  addressing  that  risk. 

The  security  model  for  Google  Apps,  for  instance,  allows 
stored  data  to  be  separated  at  the  bit  level  and  distributed  to 
multiple  sites  across  the  country.  "We  found  that  intriguing,”  says 
Menefee,  a  Google  Apps  user.  “If  they  had  a  breach,  the  [hacker] 
would  only  have  components,  pieces  of  a  giant  puzzle." 

Another  question:  Who  pays  for  costs  associated  with  a  secu¬ 
rity  breach  in  the  cloud?  “You  want  [the  service  provider]  to  be 
paying  for  it  —  because  it  may  be  something  on  their  end  that 
caused  the  breach,"  says  Dinkel. 


if  there  is  a  breach, 
it’s  [the  cloud 

service  provider's] 
responsibility,  not  ours. 

DOUGLAS  MENEFEE,  CIO. 
SCHUMACHER  GROUP 


SECURITY 


Forging  a 

Steel 

Wall 


IHM 

Fort£,  says  that  the  dedicated  Windows  worksta- 
tions  his  company  sells  to  hospital  emergency 
■  room  administrators  must  not  only  be  secure,  but 

absolutely  tamperproof  as  well.  After  all,  lives 
depend  on  the  machines’  flawless  operation. 

Forty’s  applications  show  emergency  medical  technicians  the 
emergency  room’s  current  availability  status,  “so  our  software 
must  be  the  program  that  is  always  running,"  Phillips  says.  “We 
cannot  have  anyone  closing  our  program,  adding  games,  changing 

Windows  settings  and  so  on.” 

Phillips  and  others  who  need  to  create  highly  secure  worksta¬ 
tions  or  servers  are  turning  to  hardening  to  create  a  virtual  steel 

Hardening  software 
to  prevent  security 
breaches  is  coming 
back  into  fashion. 
And,  yes,  it’s  worth 
the  trouble. 

BY  JOHN  EDWARDS 
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just  closes  the  gaps." 


any  less  practical  or  useful.  "It's  still  one  of  the  least  expensive 
and  most  effective  ways  of  protecting  yourself  or  prevent¬ 
ing  infections  or  outages,”  says  Chris  Rafter,  vice  president  of 
consulting  services  at  Logicalis  Group,  a  systems  integrator  in 
Bloomfield  Hills,  Mich. 

Peter  Makohon,  a  senior  security  and  privacy  manager  at  the 
New  York  office  of  professional  services  firm  Deloitte  &  Touche, 
says  hardening  is  coming  back  into  fashion  as  more  enterprises 
face  pressure  to  patch  every  possible  security  hole  that  could 
conceivably  be  exploited  as  a  pathway  into  a  corporate  system. 
Regulatory  compliance  is  another  factor  that's  inspiring  many 
enterprises,  particularly  those  in  highly  regulated  industries,  to 
take  another  look  at  hardening. 

Just  about  any  enterprise  can  benefit  from  hardening.  Rafter 
says.  "Operating  systems  and  applications  are  definitely  a  lot 
more  secure  than  they  were  a  long  time  ago,  but  there's  still  logic 
to  turning  off  unnecessary  services  and  basically  only  activating 
and  using  what  you  really  need,”  he  contends.  “Plus,  it  doesn't 
require  a  great  deal  of  effort." 

Most  vendors  long  ago  dropped  any  objections  to  customers 
hardening  their  products.  Many  —  including  Microsoft  —  ac¬ 
tively  encourage  the  practice.  “Hardening  an  operating  system 
is  a  key  step  in  protecting  a  system  from  intrusion.”  says  Chase 
Carpenter,  a  manager  in  Microsoft's  Windows  Server  unit. 

Carpenter  says  enterprise  hardening  efforts  have  tradition¬ 
ally  covered  the  client  and  server  operating  systems,  but  with 
attacks  increasingly  targeting  the  application  layer,  the  focus  of 
hardening  is  shifting  to  applications.  Microsoft  views  its  Security- 
Compliance  Manager  and  Security  Baseline  products  as  harden¬ 
ing  tools. 


Manual  or  Automatic? 

While  most  user  organizations  opt  to  handle  the  hardening  work 
themselves  —  assigning  the  task  to  either  IT  staffers  or  outside 

that's  designed  to  automate  the  process.  For  example,  CellTrust. 
a  mobile  applications  developer  in  Scottsdale,  Ariz..  hardened  its 
servers  and  its  Linux-based  network  appliances  with  a  product 
called  Security  Blanket  from  Raytheon  Trusted  Computer  Solu¬ 
tions,  based  in  Herndon,  Va. 

Vahid  Sedghi,  CellTrust  s  vice  president  of  technical  services, 
says  that  the  decision  to  go  with  a  hardening  product  came  down 
to  convenience  and  a  desire  not  to  take  IT  staffers  away  from 
their  core  responsibilities.  "It  was  either  having  our  Linux  folks 
go  manually  out  there  and  see  what  has  been  applied  and  what 
hasn't  been  applied  in  our  environment,  or  letting  this  tool  to  do 
the  work  in  a  more  automated  fashion,”  he  explains.  Sedghi  says 


Getting  It  Right 

Knowing  exactly  what  to  keep  or  delete  among  the  various 
operating  system  or  application  tools  and  features  is  the  biggest 
challenge  facing  users  undertaking  hardening  projects  for  the 
first  time.  Organizations  that  decide  to  do  the  work  in-house 
need  to  commit  to  a  process  of  gathering  information  about  best 
practices,  says  Makohon. 

He  notes  that  operating  system  and  application  vendors,  as 
well  as  open-source  organizations,  are  usually  willing  to  offer 
some  guidance  to  enterprises  embarking  on  hardening  proj¬ 
ects.  Software-  and  security-oriented  Web  forums  are  also  good 
sources  of  practical  information  about  hardening. 


Hardening: 

The  Basics 


■  Limit  the  number  of  user  accounts. 

■  Curb  access  rights. 


■  Configure  common  security  settings. 

■  Apply  necessary  patches  and  updates. 

■  Use  encryption  where  possfcle  to  protect  critical  data. 


i  Configure  the  system  to  log  appropriate  and  inappropri- 

i  Configure  the  system  to  make  it  difficult  or  impossible  for 
attackers  to  cover  their  tracks. 
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BEST  PRACTICES 

AWARDS  PROGRAM 


SNW,  in  conjunction  with  Computerworld  and  the 
Storage  Networking  Industry  Association  (SNIA), 
proudly  announce  the  results  of  the  SNW  “Best 
Practices”  Awards.  Winners  were  honored  at  a 
ceremony  during  SNW  Spring  2011. 


Congratulations  to  the  2011  winners 


Best  Practices  in  Adopting  Emerging 
and  Innovative  Technologies 

WINNER 

California  Emergency  Management  Agency 
(Cal  EMA)  I  Mather,  California 

FINALISTS 

District  of  Columbia  Water  and  Sewer  Authority 
(DC  Water)  I  Washington,  DC 
International  Justice  Mission  |  Arlington,  Virginia 
Rockford  Construction  |  Grand  Rapids,  Michigan 
U.S.  Customs  &  Border  Protection,  Office  of 
Information  and  Technology  I  Springfield,  Virginia 

Best  Practices  in  IT  Consolidation, 

IT  Efficiency  and  Data  Center  Design 

WINNER 

The  E.W.  Scripps  Company  I  Cincinnati,  Ohio 

FINALISTS 

The  Chinese  University  of  Hong  Kong  I  Hong  Kong,  China 
Department  of  Innovation,  Industry,  Science  and 
Research  (DIISR)  I  South  Melbourne.  Australia 
O.C.  Tanner  Company  I  Salt  Lake  City,  Utah 
Reliance  Communications  Ltd.  I  Maharashtra.  India 


Best  Practices  in  Storage  Resiliency, 
Data  Protection  and  Recovery 

WINNER 

Cloudmark  I  San  Francisco,  California 


Escondido  Union  High  School  District  I  Escondido.  California 
Farm  Credit  Services  of  Mid-America  I  Louisville,  Kentucky 
FICO I  St.  Paul.  Minnesota 

Best  Practices  in  Virtualization 
and  Cloud  Computing 

WINNER 

Bloomington  School  District  #87 1  Bloomington.  Illinois 


High  Moon  Studios  I  Carlsbad,  California 
Patients  First  Health  Care  I  Washington,  Missouri 
United  Way  of  Atlanta  I  Atlanta.  Georgia 

The  SNW  Spring  2011  'IN 

Best  Practices  Awards  Program  ' 

Sponsored  by  FUS  TSI  iO 


THANK  YOU  TO  OUR  SNW  SPRING  2011  JUDGES: 


Wendy  Betts  I  Northern  Trust 
Brian  Carlson  I  CIO  magazine 
Noemi  Grezydorf  I  IOC 
Derek  Hulitzky  I  IDG  Enterprise 


Lucas  Mearian  I  Computerworld 
David  Stevens  I  Carnegie  Mellon  University 
Terry  Yoshii  I  Intel  Corporation 


Trouble 

Ticket 


the  analysis  or  conduct  the  analysis  our¬ 
selves.  Burdening  the  third  parties  may 
hinder  innovation.  Doing  it  ourselves 
will  add  to  our  overhead. 


WE  HAVE  a  major  problem, 
which  explains  why  I'm 
sitting  in  an  airport 
right  now.  I’m  heading 
off  to  visit  some  third 
parties  that  develop  portions  of  our  soft¬ 
ware  for  us. 

The  problem  is  that  some  software 
we  recently  developed  in-house  was 
infected  with  malware,  and  the  source  of 
that  malware  was  traced  back  to  a  third 
party’s  code.  We  were  fortunate  that  the 
malware  was  pretty  well  contained,  but 
the  fact  that  this  could 
happen  at  all  raises  ques¬ 
tions  about  the  security  of 

After  1  heard  about  this 
incident,  I  started  looking 
into  my  company’s  software  develop¬ 
ment  life-cycle  (SDLC)  process,  which 
is  meant  to  help  us  develop  systems  in  a 
very  deliberate  and  structured  manner. 
To  my  mind,  any  SDLC  that  doesn’t 
include  taking  sanity  checks  on  security 
isn’t  worth  much.  And  upon  investiga¬ 
tion,  it  was  painfully  obvious  that  we 
lacked  robust  security  sanity  checks  for 
third-party  code.  Apparently,  assump¬ 
tions  were  made  and  we  ended  up  with 
verbiage  in  our  contracts  that  said  it 


would  be  the  third  party's  responsibility 
to  verify  that  all  code  was  free  of  security 
bugs  and  other  potentially  threatening 
anomalies.  Assumptions  about  security 
always  make  me  wince 

In  my  meetings,  I  want  decisions 
made  on  roles  and  responsibilities,  ex¬ 
pectations  and  methodology.  Of  course, 

I  don’t  expect  developers  or  quality 
assurance  engineers  to  manually  review 
source  code,  so  1  expect  to  invest  in  tech¬ 
nology  that  will  help  in  this  analysis. 

As  I  prepared  for  this  trip,  I  started 
looking  into  the  tech¬ 
nologies  that  are  avail¬ 
able  in  the  marketplace 
for  this  sort  of  automat¬ 
ed  code  vetting,  and 
my  initial  investigation 
has  revealed  that  several  companies  offer 
such  tools.  There  are  products  that  would 
reside  in-house,  or  we  could  go  with  a 
software-as-a-service  option.  At  this  early 
stage,  I  find  the  SaaS  model  intriguing, 
since  my  company  has  a  Web-based  col¬ 
laboration  tool  that  allows  third  parties 
to  submit  code  for  incorporation  into  our 
homegrown  software. 

One  question  we  will  have  to  answer 
is  whether  we  want  to  burden  the  third 
parties  with  the  responsibility  of  doing 


is  reviewed  for  indications  of  poor 
programming  practices  that  could  lead 
to  a  security  incident,  such  as  leaving 
sensitive  information  in  the  comments 
of  the  code;  not  conducting  bounds 
checks,  which  can  result  in  buffer  over¬ 
flow  attacks;  and  lack  of  input  valida¬ 
tion,  which  may  lead  to  SQL  injection 
attacks.  Dynamic  analysis  is  more,  well, 
dynamic.  In  adynamic  analysis,  you 
actually  attack  the  compiled  application 
and  look  for  indications  that  it’s  suscep¬ 
tible  to  exploitation. 

One  constraint  for  us  is  that  we’ll  have 
to  And  a  product  that  maps  to  all  the 
programming  languages  we  use;  we  don't 
want  to  have  to  invest  in  multiple  prod¬ 
ucts  to  cover  everything.  And  we’ll  have 
to  review  the  license  model,  the  support 
structure,  the  reporting  mechanism 
and  overall  flexibility  when  it  comes 
to  incorporating  the  product  into  our 
various  SDLC  processes.  In  addition,  I’ll 
want  the  ability  to  audit  and  govern  the 
process  if  necessary. 

After  my  travels,  and  no  doubt  a  lot 
more  meetings,  I’ll  formulate  business 
requirements  and  draw  up  process  docu¬ 
ments.  1  don't  imagine  this  will  be  an 
overnight  change,  but  given  the  risks, 
there  will  most  definitely  be  a  change.  ♦ 
This  week's  journal  is  written  by  a  real 
securily  manager,  “Mathias  Thurman,” 
whose  name  and  employer  have  been  disguised 
for  obvious  reasons.  Contact  him  at  mathias_ 
thurman@yahoo.com. 


Apparently,  assumptions  were  made  about  third-party 
code.  Assumptions  about  security  always  make  me  wince. 
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THE  QUALITY  of  business  relationships  is  based  on  much  more  than 
the  quality  of  the  products  and  services  we  deliver.  If  we’re  going  to 
improve  the  relationship  between  IT  groups  and  the  people  who 
consume  our  technology,  we’re  going  to  have  to  start  thinking  more 
carefully  about  their  experience  of  us  as  well. 


As  engineers,  we  tend  to  believe  that  the  quality 
of  our  products  should  speak  for  itself,  but  this 
never  really  works  out  too  well.  First,  we  are  not 
merely  technology  providers.  The  experience  of 
working  with  us  is  part  of  our  value.  Second,  the 
consumers  of  our  products  can’t  really  directly 
determine  the  quality  of  our  products.  If  they 
knew  enough  to  judge  the  technology,  they  prob¬ 
ably  wouldn’t  need  us  at  all  —  they’d  be  experts 
themselves.  So  they  judge  by  the  quality  of  the 
experience  they  have  working  with  us. 

But  there  is  no  single  experience  of  working 
with  us.  As  technology  has  pervaded  almost 
every  area  of  our  enterprises,  the  number  of  ways 

expanded  significantly.  There  are  three  dominant 
types  of  experiences  that  IT  consumers  have,  each 
with  different  expectations  and  perceived  values. 

Daily  operations.  Business  functions  like 
finance,  marketing  and  logistics  have  incorporated 
technology  into  virtually  every  aspect  of  their 
work.  The  systems  we  have  purchased,  customized 
and  written  enable  them  to  meet  their  daily  objec¬ 
tives.  And  most  of  the  people  working  in  those 
functions  live  in  front  of  screens  as  much  as  we  do. 

Every  day,  even  when  things  are  going  perfectly, 
they  experience  our  technology  and  have  feelings 
about  how  it  affects  them.  Sometimes  that  tech¬ 
nology  feels  like  a  tool  that  enables  them;  at  other 
times,  it  feels  like  an  obstacle  constraining  them. 

But  when  something  stops  working,  they  feel 
frustrated.  And  when  they  contact  us  for  support, 
they  are  already  upset.  How  we  handle  their  emo¬ 


tions  at  that  moment  colors  how  they  think  of  us 
in  every  circumstance. 

'  So  how  we  handle  support  affects  how  they  feel 
about  us  generally. 

Operational  adaptation.  Beyond  everyday 
work,  IT  consumers  want  us  to  help  them  improve 
their  operations.  Whether  they  are  trying  to  in¬ 
crease  efficiency,  consolidate  functions  or  adapt  to 
new  processes,  they  need  to  change  how  the  daily 
operations  use  technology. 

We  help  them  adapt  through  projects.  The  goal 
of  nearly  every  project  is  operational  change,  and 
the  experience  of  working  with  us  on  prioritiz¬ 
ing,  planning  and  implementing  these  changes  is 
distinct  from  their  experience  of  daily  operations. 

Strategic  change.  In  the  past,  business  func¬ 
tions  didn’t  really  think  about  IT  when  consider¬ 
ing  strategic  transformation.  We  were  included 
only  as  an  implementation  afterthought.  But  as 
business  models  have  become  more  dependent  on 
technology  as  a  fundamental  enabler,  we  have  (or 
should  have)  become  central  to  strategic  planning. 

The  expectations  of  how  we  participate 
strategically  are  quite  distinct  from  operations  or 
adaptation.  But  how  our  consumers  feel  about  our 
services  at  lower  levels  colors  how  they  feel  about 
us  at  higher  levels.  It’s  not  uncommon  for  consum¬ 
ers  to  wonder,  “If  they  can’t  fix  my  laptop,  how 
can  they  contribute  to  strategic  planning?” 

To  improve  our  relationships  with  our  consum¬ 
ers,  we  need  to  understand  the  context  of  the 
value  we  are  offering  and  the  expectations  that 
come  with  that  type  of  value.  ♦ 
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YOU  PROBABLY  THOUGHT  the  consumerization  of  IT  was  a  big 
trend  even  before  Apple  sold  15  million  iPads  in  the  devices  first 
year.  Now,  seemingly  overnight,  tablets  have  overrun  IT.  Just  about 
every  smartphone  and  PC  maker  has  announced  a  near-iPad 


tablet  of  its  own,  and  they’re  all  due  any  day  now. 
Gartner  predicts  that  69  million  tablets  will  be 
sold  in  2011.  And  here's  the  part  that  matters  most 
to  you:  Forrester  analyst  Ted  Schadler  estimated 
in  a  March  report  on  tablets  in  the  enterprise  that 
about  half  of  those  first  15  million  iPads  are  com¬ 
muting  to  the  office  every  day. 

It's  inevitable,  because  tablets  fill  a  need  for 
users.  No  other  device  handles  meetings  as  well. 
Tablets  are  light  —  even  compared  to  netbooks  — 
plus  they  have  long  battery  life,  and  they’re  less 
off-putting  to  colleagues  because  you  can  type 
almost  silently  and  your  face  isn’t  obscured  by  the 
display.  And  their  screen  size  gives  them  an  ad¬ 
vantage  over  smartphones.  Ever  tried  to  whip  out 
your  smartphone  in  a  meeting  to  check  something 
on  the  Web?  A  phone  is  too  small  to  pull  down 
menus  and  press  navigation  buttons  comfortably. 
What  usually  happens  is  that  the  conversation 
passes  you  by.  A  tablet  like  the  Apple  iPad  or  the 
Motorola  Xoom  offers  a  better  overall  design  for 
use  during  meetings. 

Tablets  are  also  a  good  fit  at  companies  where 
employees  travel  frequently  or  move  about  all  day, 
and  in  fields  like  healthcare,  financial  services, 
manufacturing  and  retail.  A  tablet  is  an  excellent 


intimate  settings  like  restaurants.  And  while  both 
Forrester  and  I  DC  don’t  expect  tablets  to  replace 
laptops,  I  have  to  wonder  whether  that  outlook 
might  change  in  a  couple  of  years. 

Challenges 

Like  any  new  platform,  tablets  bring  with  them  a 
host  of  concerns  for  IT  leaders,  and  you're  prob¬ 
ably  not  yet  prepared  to  manage  and  support  them 


in  the  enterprise.  My  advice:  Don’t  delay. 

If  you  haven't  developed  a  bring-your-own- 
technology  policy,  do  so  now.  If  you  have  such  a 
policy  but  it  isn’t  well  evolved  or  hasn’t  been  well 
communicated  to  employees,  get  to  work. 

As  always,  you  can’t  neglect  security.  It  may 
surprise  you  to  learn  that  most  experts  consider 
Apple’s  iOS  4.3  to  be  acceptably  secure  for  typical 
industries,  while  Android  still  needs  work.  Which¬ 
ever  platform  you  use,  Forrester’s  Schadler  recom¬ 
mends  limiting  the  amount  of  data  stored  on 
tablets  (by  keeping  it  on  a  server  or  in  the  cloud) 
for  both  security  and  e-discovery  reasons. 

But  apps,  of  course,  are  a  big  part  of  the  tablet 
experience,  so  these  might  be  the  questions  that 
enterprise  IT  organizations  need  to  consider  most 
closely:  Do  you  go  with  a  vendor  for  an  enterprise 
app  store?  How  do  you  deliver  support  for  your 
internal  applications?  How  do  you  handle  legacy 
apps?  (And  that,  by  the  way,  might  be  desktop 
virtualization’s  true  point  of  entry.)  Do  you  build 
native,  crossplatform  or  Web-based  apps?  Do  you 
limit  tablet  support  to  one  platform?  Is  HTML5  a 
strong  part  of  the  solution?  (Not  in  the  short  run.) 

Still  thinking  you  can  avoid  those  headaches  by 
saying  no?  Then  consider  this:  Tablets  may  also 
represent  a  significant  customer-facing  business 
opportunity.  In  a  March  report  about  tablets  in 
business,  Gartner  analyst  David  A.  Willis  wrote: 
“If  you  can  think  of  an  application  for  tablets,  your 
competition  may  well  be  thinking  in  the  same 
way . . .  and  acting  on  it.” 

So  while  you  have  to  consider  management  and 
support,  you  also  have  to  recognize  that  tablets 
could  deliver  significant  ROI  or  even  revenue.  And 
you  can’t  afford  to  say  no  to  that.  ♦ 
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